...

View Full Version : Securing a web application



brazenskies
10-13-2009, 12:07 PM
Yet another thread about security/sql injection I'm afraid.

I'm just wanting to get some other views on if the code I have used to protect from sql injection is secure enough.

Basically an eventID is passed into the querystring to get the row from the db...



if(isset($_GET["eventid"])){
$evt = mysql_real_escape_string($_GET["eventid"]);
if(!is_numeric($evt)){
$isevt = false;
$error = "Oops, you seem to have specified an invalid event ID!";
}else{
$isevt = true;
}
}else{
$isevt = false;
$error = "No Event Specified";
}


then it goes on to...



if($isevt){
//Access the database and get the row
}else{
echo $error;
}

abduraooft
10-13-2009, 12:49 PM
$evt = mysql_real_escape_string($_GET["eventid"]); You don't need to apply mysql_real_escape_string() on any integer/numeric data. Functions like ctype_digit(), is_numeric() is enough for that. (sql injection is possible only via string inputs and not by numeric inputs)

brazenskies
10-13-2009, 01:13 PM
ok so, it's perfectly secure with is_numeric()?



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum